Overview

overview

10

Static

static

SecuriteIn...79.exe

windows7-x64

10

SecuriteIn...79.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    139s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-08-2022 21:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.W32.AIDetectNet.01.11564.5379.exe

  • Size

    779KB

  • MD5

    bec825008e3f4365a8a71961ba806f27

  • SHA1

    a0f073d37901dd918af4e58f82a19e46479edc6b

  • SHA256

    9e31da664bede9c4709cdbf2ec6a791dadc490cd30a67a3d2bbae42c7e9318ed

  • SHA512

    c251ee9de6053e57a0547f31b3469a6dc70619b6562c5345f3d76b8ffbc06b07c86749908f8eae1a7216a9c0c41eb1bbcc22318f6e5eefd6b1ee206c62be7526

  • SSDEEP

    12288:osUf0eH06SolylSx1XqVlSyH0f67ajvKVl94tu1UNPuEz4YTLvNcMb4IoR55KFe:Xg3uSyUi7Iq9Z1UpuRMPoR5E

Score
10/10
netwirebotnetratstealer

Malware Config

Extracted

Family

netwire

C2

37.0.14.206:3384

Attributes
  • activex_autorun

    false

  • copy_executable

    true

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • install_path

    %AppData%\Install\Host.exe

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    true

  • offline_keylogger

    true

  • password

    Password234

  • registry_autorun

    false

  • use_mutex

    false

Signatures

  • NetWire RAT payload 3 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.11564.5379.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.11564.5379.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4496
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WeVSCisyy" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBDAE.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1840
    • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.11564.5379.exe
      "{path}"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:3284
      • C:\Users\Admin\AppData\Roaming\Install\Host.exe
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        3⤵
        • Executes dropped EXE
        PID:2356

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpBDAE.tmp
    Filesize

    1KB

    MD5

    d5b5b71730889cd33363889a97bfd53b

    SHA1

    c35c755535dfb83aa52516a3490a7fb46b1be0c9

    SHA256

    33dcd7bc4aaee28397e1c32b03041576a1dd12fb822c1821070f0c8e9d78c103

    SHA512

    f58a63b94a3153f5344115db66de27fa4439088e5c45bc9d51f088b712c11b9300bd7beb72529648e420fb69f5755577da6c51b73d61e89e108b39affafdf39d

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Install\Host.exe
    Filesize

    779KB

    MD5

    bec825008e3f4365a8a71961ba806f27

    SHA1

    a0f073d37901dd918af4e58f82a19e46479edc6b

    SHA256

    9e31da664bede9c4709cdbf2ec6a791dadc490cd30a67a3d2bbae42c7e9318ed

    SHA512

    c251ee9de6053e57a0547f31b3469a6dc70619b6562c5345f3d76b8ffbc06b07c86749908f8eae1a7216a9c0c41eb1bbcc22318f6e5eefd6b1ee206c62be7526

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Install\Host.exe
    Filesize

    779KB

    MD5

    bec825008e3f4365a8a71961ba806f27

    SHA1

    a0f073d37901dd918af4e58f82a19e46479edc6b

    SHA256

    9e31da664bede9c4709cdbf2ec6a791dadc490cd30a67a3d2bbae42c7e9318ed

    SHA512

    c251ee9de6053e57a0547f31b3469a6dc70619b6562c5345f3d76b8ffbc06b07c86749908f8eae1a7216a9c0c41eb1bbcc22318f6e5eefd6b1ee206c62be7526

    Download Submit
  • memory/1840-137-0x0000000000000000-mapping.dmp
    Download
  • memory/2356-144-0x0000000000000000-mapping.dmp
    Download
  • memory/3284-142-0x0000000000400000-0x0000000000433000-memory.dmp
    Filesize

    204KB

    Download
  • memory/3284-139-0x0000000000000000-mapping.dmp
    Download
  • memory/3284-140-0x0000000000400000-0x0000000000433000-memory.dmp
    Filesize

    204KB

    Download
  • memory/3284-143-0x0000000000400000-0x0000000000433000-memory.dmp
    Filesize

    204KB

    Download
  • memory/4496-136-0x0000000005580000-0x000000000558A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/4496-132-0x00000000008F0000-0x00000000009BA000-memory.dmp
    Filesize

    808KB

    Download
  • memory/4496-135-0x00000000054D0000-0x000000000556C000-memory.dmp
    Filesize

    624KB

    Download
  • memory/4496-134-0x0000000005390000-0x0000000005422000-memory.dmp
    Filesize

    584KB

    Download
  • memory/4496-133-0x00000000058A0000-0x0000000005E44000-memory.dmp
    Filesize

    5.6MB

    Download